Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[STRM] How to view IDP Profiler information for an IP

0

0

Article ID: KB16132 KB Last Updated: 27 Dec 2013Version: 2.0
Summary:

STRM can be customized to look up profile information for any IP appearing in Events/Flows.

Symptoms:

How to view IDP Profiler information for an IP in STRM.

Cause:
 
Solution:

The Juniper NSM Profiler plugin for STRM is very simple in structure. NSM Profiler keeps all scan results in its own asset profile database. The STRM plugin connects to this database and harvests the existing results. STRM and NSM must both be configured for the integration.

Configuring STRM

  1. Customize the Right click menu to include IDP Profiler Lookup - KB15315
  2. Edit the file /opt/qradar/conf/JuniperProfilerRightClick.properties and add following
    • server=10.85.34.53 (NSM Server IP Address)
    • user=strm (Username to connect to Profiler DB)
    • password=strm (Pwd to connect to Profiler DB)

Configuring NSM

For STRM to have access to the NSM Profiler database, the postgres authentication configuration must be altered and the iptables packet filter must allow STRM access to the postgres database port (TCP port 5432). 

To configure authentication:

  1. Log in to the NSM via SSH (or on the console). 
  2. Edit the file /usr/netscreen/DevSvr/var/pgsql/data/pg_hba.conf file.
  3. Assuming the address of the STRM host is 10.10.10.111, add a line similar to the following to the end of the pg_hba.conf file:
                     host all all 10.10.10.111/32 trust
  4. Enable Profiler listening on other than the loopback address: edit the file /usr/netscreen/DevSvr/var/pgsql/data/postgresql.conf. Look for the line that looks like this:
    listen_addresses = 'localhost' [# of IP address(es) to listen on];

    Replace 'localhost' with '*' (asterisk); this will allow postgreSQL to listen on all interfaces.

  5. The profilerDb must be restarted after this change to take affect. Use the command etc/init.d/devSvr restart to accomplish this.

The following steps (6 and 7) can be skipped if you want to use the same username and password that NSM uses to access the database (username=nsm).  The password associated with the nsm user for postgreSQL is configured during initial installation.

  1. Create a user strm to be used by STRM for querying the database. On the command line: 
    [root@test ~]# createuser -U nsm strm
    Shall the new role be a superuser? (y/n) n
    Shall the new role be allowed to create databases? (y/n) n
    Shall the new role be allowed to create more new roles? (y/n) n
    CREATE ROLE
    [root@test ~]#
  2. Connect to the profilerDb as the NSM user to grant the new user access to the appropriate tables. Again on the command line, assuming the user is strm, enter:
    [root@test ~]# psql -U nsm profilerDb
    Welcome to psql 8.1.7, the PostgreSQL interactive terminal.
    Type: \copyright for distribution terms
    \h for help with SQL commands
    \? for help with psql commands
    \g or terminate with semicolon to execute query
    \q to quit

    profilerDb=# grant select on table host to strm;
    GRANT
    profilerDb=# grant select on table os to strm;
    GRANT
    profilerDb=# grant select on table profile to strm;
    GRANT
    profilerDb=# grant select on table value to strm;
    GRANT
    profilerDb=# grant select on table context to qstrm;
    GRANT
    profilerDb=#
    profilerDb=# alter user strm password 'juniper';
    ALTER ROLE
    profilerDb=#
Testing Connectivity

The configuration can be tested from the STRM command line since the postgres client is available there.

  1. Log in to the STRM CLI and type:

    #psql -h $hostname -U $username $dbname

    Where $hostname, $username and $dbname are exactly as configured in the Admin UI for this scanner.  

  2. When prompted provide the password.

  3. Once connected this way, try some select statements to confirm correct permissions:

    profilerDb=> SELECT count(*) FROM HOST;
    count
    -------
    277
    (1 row)

    <
  4. Repeat the selection for each of the other tables: OS, PROFILE, VALUE, and CONTEXT
To get Profiler Information for any IP in STRM
  1. Right click the IP.
  2. Select More Options > Plugin Options > Juniper IDP Profile.

  3. A new window with profile information for this IP will be displayed.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search